Convenience Store Chain Can’t Shield Investigative Report on Data Breach From Discovery, Judge Rules

We often hear of firms having their counsel running incident response and contracting of forensics, etc., so that any reports would be protected by work product doctrine as well as attorney-client privilege. But if the attorney doesn’t word the contract carefully, any report may not be covered by the doctrine. We saw that in a Capital One case last year in the Eastern District of Virginia involving a 2019 breach, and now we’re seeing it again over another 2019 case, this time in the Middle District of Pennsylvania.

P.J. Annunzio reports:

A federal judge has ruled that because an investigative report commissioned by Pennsylvania-based convenience store chain Rutter’s in response to a data security breach was not prepared for litigation purposes, it is discoverable.

In a July 22 ruling granting the class action plaintiffs’ motion to compel the document, U.S. Magistrate Chief Judge Karoline Mehalchick of the Middle District of Pennsylvania held that the report done by consultant Kroll Cyber Security for Rutter’s was not covered by attorney-client and work product privilege.



About the author: Dissent

Comments are closed.